Black Lives Matter. Support the Equal Justice Initiative.

Source file src/net/http/fs.go

Documentation: net/http

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  // HTTP file system request handler
     6  
     7  package http
     8  
     9  import (
    10  	"errors"
    11  	"fmt"
    12  	"io"
    13  	"mime"
    14  	"mime/multipart"
    15  	"net/textproto"
    16  	"net/url"
    17  	"os"
    18  	"path"
    19  	"path/filepath"
    20  	"sort"
    21  	"strconv"
    22  	"strings"
    23  	"time"
    24  )
    25  
    26  // A Dir implements FileSystem using the native file system restricted to a
    27  // specific directory tree.
    28  //
    29  // While the FileSystem.Open method takes '/'-separated paths, a Dir's string
    30  // value is a filename on the native file system, not a URL, so it is separated
    31  // by filepath.Separator, which isn't necessarily '/'.
    32  //
    33  // Note that Dir could expose sensitive files and directories. Dir will follow
    34  // symlinks pointing out of the directory tree, which can be especially dangerous
    35  // if serving from a directory in which users are able to create arbitrary symlinks.
    36  // Dir will also allow access to files and directories starting with a period,
    37  // which could expose sensitive directories like .git or sensitive files like
    38  // .htpasswd. To exclude files with a leading period, remove the files/directories
    39  // from the server or create a custom FileSystem implementation.
    40  //
    41  // An empty Dir is treated as ".".
    42  type Dir string
    43  
    44  // mapDirOpenError maps the provided non-nil error from opening name
    45  // to a possibly better non-nil error. In particular, it turns OS-specific errors
    46  // about opening files in non-directories into os.ErrNotExist. See Issue 18984.
    47  func mapDirOpenError(originalErr error, name string) error {
    48  	if os.IsNotExist(originalErr) || os.IsPermission(originalErr) {
    49  		return originalErr
    50  	}
    51  
    52  	parts := strings.Split(name, string(filepath.Separator))
    53  	for i := range parts {
    54  		if parts[i] == "" {
    55  			continue
    56  		}
    57  		fi, err := os.Stat(strings.Join(parts[:i+1], string(filepath.Separator)))
    58  		if err != nil {
    59  			return originalErr
    60  		}
    61  		if !fi.IsDir() {
    62  			return os.ErrNotExist
    63  		}
    64  	}
    65  	return originalErr
    66  }
    67  
    68  // Open implements FileSystem using os.Open, opening files for reading rooted
    69  // and relative to the directory d.
    70  func (d Dir) Open(name string) (File, error) {
    71  	if filepath.Separator != '/' && strings.ContainsRune(name, filepath.Separator) {
    72  		return nil, errors.New("http: invalid character in file path")
    73  	}
    74  	dir := string(d)
    75  	if dir == "" {
    76  		dir = "."
    77  	}
    78  	fullName := filepath.Join(dir, filepath.FromSlash(path.Clean("/"+name)))
    79  	f, err := os.Open(fullName)
    80  	if err != nil {
    81  		return nil, mapDirOpenError(err, fullName)
    82  	}
    83  	return f, nil
    84  }
    85  
    86  // A FileSystem implements access to a collection of named files.
    87  // The elements in a file path are separated by slash ('/', U+002F)
    88  // characters, regardless of host operating system convention.
    89  type FileSystem interface {
    90  	Open(name string) (File, error)
    91  }
    92  
    93  // A File is returned by a FileSystem's Open method and can be
    94  // served by the FileServer implementation.
    95  //
    96  // The methods should behave the same as those on an *os.File.
    97  type File interface {
    98  	io.Closer
    99  	io.Reader
   100  	io.Seeker
   101  	Readdir(count int) ([]os.FileInfo, error)
   102  	Stat() (os.FileInfo, error)
   103  }
   104  
   105  func dirList(w ResponseWriter, r *Request, f File) {
   106  	dirs, err := f.Readdir(-1)
   107  	if err != nil {
   108  		logf(r, "http: error reading directory: %v", err)
   109  		Error(w, "Error reading directory", StatusInternalServerError)
   110  		return
   111  	}
   112  	sort.Slice(dirs, func(i, j int) bool { return dirs[i].Name() < dirs[j].Name() })
   113  
   114  	w.Header().Set("Content-Type", "text/html; charset=utf-8")
   115  	fmt.Fprintf(w, "<pre>\n")
   116  	for _, d := range dirs {
   117  		name := d.Name()
   118  		if d.IsDir() {
   119  			name += "/"
   120  		}
   121  		// name may contain '?' or '#', which must be escaped to remain
   122  		// part of the URL path, and not indicate the start of a query
   123  		// string or fragment.
   124  		url := url.URL{Path: name}
   125  		fmt.Fprintf(w, "<a href=\"%s\">%s</a>\n", url.String(), htmlReplacer.Replace(name))
   126  	}
   127  	fmt.Fprintf(w, "</pre>\n")
   128  }
   129  
   130  // ServeContent replies to the request using the content in the
   131  // provided ReadSeeker. The main benefit of ServeContent over io.Copy
   132  // is that it handles Range requests properly, sets the MIME type, and
   133  // handles If-Match, If-Unmodified-Since, If-None-Match, If-Modified-Since,
   134  // and If-Range requests.
   135  //
   136  // If the response's Content-Type header is not set, ServeContent
   137  // first tries to deduce the type from name's file extension and,
   138  // if that fails, falls back to reading the first block of the content
   139  // and passing it to DetectContentType.
   140  // The name is otherwise unused; in particular it can be empty and is
   141  // never sent in the response.
   142  //
   143  // If modtime is not the zero time or Unix epoch, ServeContent
   144  // includes it in a Last-Modified header in the response. If the
   145  // request includes an If-Modified-Since header, ServeContent uses
   146  // modtime to decide whether the content needs to be sent at all.
   147  //
   148  // The content's Seek method must work: ServeContent uses
   149  // a seek to the end of the content to determine its size.
   150  //
   151  // If the caller has set w's ETag header formatted per RFC 7232, section 2.3,
   152  // ServeContent uses it to handle requests using If-Match, If-None-Match, or If-Range.
   153  //
   154  // Note that *os.File implements the io.ReadSeeker interface.
   155  func ServeContent(w ResponseWriter, req *Request, name string, modtime time.Time, content io.ReadSeeker) {
   156  	sizeFunc := func() (int64, error) {
   157  		size, err := content.Seek(0, io.SeekEnd)
   158  		if err != nil {
   159  			return 0, errSeeker
   160  		}
   161  		_, err = content.Seek(0, io.SeekStart)
   162  		if err != nil {
   163  			return 0, errSeeker
   164  		}
   165  		return size, nil
   166  	}
   167  	serveContent(w, req, name, modtime, sizeFunc, content)
   168  }
   169  
   170  // errSeeker is returned by ServeContent's sizeFunc when the content
   171  // doesn't seek properly. The underlying Seeker's error text isn't
   172  // included in the sizeFunc reply so it's not sent over HTTP to end
   173  // users.
   174  var errSeeker = errors.New("seeker can't seek")
   175  
   176  // errNoOverlap is returned by serveContent's parseRange if first-byte-pos of
   177  // all of the byte-range-spec values is greater than the content size.
   178  var errNoOverlap = errors.New("invalid range: failed to overlap")
   179  
   180  // if name is empty, filename is unknown. (used for mime type, before sniffing)
   181  // if modtime.IsZero(), modtime is unknown.
   182  // content must be seeked to the beginning of the file.
   183  // The sizeFunc is called at most once. Its error, if any, is sent in the HTTP response.
   184  func serveContent(w ResponseWriter, r *Request, name string, modtime time.Time, sizeFunc func() (int64, error), content io.ReadSeeker) {
   185  	setLastModified(w, modtime)
   186  	done, rangeReq := checkPreconditions(w, r, modtime)
   187  	if done {
   188  		return
   189  	}
   190  
   191  	code := StatusOK
   192  
   193  	// If Content-Type isn't set, use the file's extension to find it, but
   194  	// if the Content-Type is unset explicitly, do not sniff the type.
   195  	ctypes, haveType := w.Header()["Content-Type"]
   196  	var ctype string
   197  	if !haveType {
   198  		ctype = mime.TypeByExtension(filepath.Ext(name))
   199  		if ctype == "" {
   200  			// read a chunk to decide between utf-8 text and binary
   201  			var buf [sniffLen]byte
   202  			n, _ := io.ReadFull(content, buf[:])
   203  			ctype = DetectContentType(buf[:n])
   204  			_, err := content.Seek(0, io.SeekStart) // rewind to output whole file
   205  			if err != nil {
   206  				Error(w, "seeker can't seek", StatusInternalServerError)
   207  				return
   208  			}
   209  		}
   210  		w.Header().Set("Content-Type", ctype)
   211  	} else if len(ctypes) > 0 {
   212  		ctype = ctypes[0]
   213  	}
   214  
   215  	size, err := sizeFunc()
   216  	if err != nil {
   217  		Error(w, err.Error(), StatusInternalServerError)
   218  		return
   219  	}
   220  
   221  	// handle Content-Range header.
   222  	sendSize := size
   223  	var sendContent io.Reader = content
   224  	if size >= 0 {
   225  		ranges, err := parseRange(rangeReq, size)
   226  		if err != nil {
   227  			if err == errNoOverlap {
   228  				w.Header().Set("Content-Range", fmt.Sprintf("bytes */%d", size))
   229  			}
   230  			Error(w, err.Error(), StatusRequestedRangeNotSatisfiable)
   231  			return
   232  		}
   233  		if sumRangesSize(ranges) > size {
   234  			// The total number of bytes in all the ranges
   235  			// is larger than the size of the file by
   236  			// itself, so this is probably an attack, or a
   237  			// dumb client. Ignore the range request.
   238  			ranges = nil
   239  		}
   240  		switch {
   241  		case len(ranges) == 1:
   242  			// RFC 7233, Section 4.1:
   243  			// "If a single part is being transferred, the server
   244  			// generating the 206 response MUST generate a
   245  			// Content-Range header field, describing what range
   246  			// of the selected representation is enclosed, and a
   247  			// payload consisting of the range.
   248  			// ...
   249  			// A server MUST NOT generate a multipart response to
   250  			// a request for a single range, since a client that
   251  			// does not request multiple parts might not support
   252  			// multipart responses."
   253  			ra := ranges[0]
   254  			if _, err := content.Seek(ra.start, io.SeekStart); err != nil {
   255  				Error(w, err.Error(), StatusRequestedRangeNotSatisfiable)
   256  				return
   257  			}
   258  			sendSize = ra.length
   259  			code = StatusPartialContent
   260  			w.Header().Set("Content-Range", ra.contentRange(size))
   261  		case len(ranges) > 1:
   262  			sendSize = rangesMIMESize(ranges, ctype, size)
   263  			code = StatusPartialContent
   264  
   265  			pr, pw := io.Pipe()
   266  			mw := multipart.NewWriter(pw)
   267  			w.Header().Set("Content-Type", "multipart/byteranges; boundary="+mw.Boundary())
   268  			sendContent = pr
   269  			defer pr.Close() // cause writing goroutine to fail and exit if CopyN doesn't finish.
   270  			go func() {
   271  				for _, ra := range ranges {
   272  					part, err := mw.CreatePart(ra.mimeHeader(ctype, size))
   273  					if err != nil {
   274  						pw.CloseWithError(err)
   275  						return
   276  					}
   277  					if _, err := content.Seek(ra.start, io.SeekStart); err != nil {
   278  						pw.CloseWithError(err)
   279  						return
   280  					}
   281  					if _, err := io.CopyN(part, content, ra.length); err != nil {
   282  						pw.CloseWithError(err)
   283  						return
   284  					}
   285  				}
   286  				mw.Close()
   287  				pw.Close()
   288  			}()
   289  		}
   290  
   291  		w.Header().Set("Accept-Ranges", "bytes")
   292  		if w.Header().Get("Content-Encoding") == "" {
   293  			w.Header().Set("Content-Length", strconv.FormatInt(sendSize, 10))
   294  		}
   295  	}
   296  
   297  	w.WriteHeader(code)
   298  
   299  	if r.Method != "HEAD" {
   300  		io.CopyN(w, sendContent, sendSize)
   301  	}
   302  }
   303  
   304  // scanETag determines if a syntactically valid ETag is present at s. If so,
   305  // the ETag and remaining text after consuming ETag is returned. Otherwise,
   306  // it returns "", "".
   307  func scanETag(s string) (etag string, remain string) {
   308  	s = textproto.TrimString(s)
   309  	start := 0
   310  	if strings.HasPrefix(s, "W/") {
   311  		start = 2
   312  	}
   313  	if len(s[start:]) < 2 || s[start] != '"' {
   314  		return "", ""
   315  	}
   316  	// ETag is either W/"text" or "text".
   317  	// See RFC 7232 2.3.
   318  	for i := start + 1; i < len(s); i++ {
   319  		c := s[i]
   320  		switch {
   321  		// Character values allowed in ETags.
   322  		case c == 0x21 || c >= 0x23 && c <= 0x7E || c >= 0x80:
   323  		case c == '"':
   324  			return s[:i+1], s[i+1:]
   325  		default:
   326  			return "", ""
   327  		}
   328  	}
   329  	return "", ""
   330  }
   331  
   332  // etagStrongMatch reports whether a and b match using strong ETag comparison.
   333  // Assumes a and b are valid ETags.
   334  func etagStrongMatch(a, b string) bool {
   335  	return a == b && a != "" && a[0] == '"'
   336  }
   337  
   338  // etagWeakMatch reports whether a and b match using weak ETag comparison.
   339  // Assumes a and b are valid ETags.
   340  func etagWeakMatch(a, b string) bool {
   341  	return strings.TrimPrefix(a, "W/") == strings.TrimPrefix(b, "W/")
   342  }
   343  
   344  // condResult is the result of an HTTP request precondition check.
   345  // See https://tools.ietf.org/html/rfc7232 section 3.
   346  type condResult int
   347  
   348  const (
   349  	condNone condResult = iota
   350  	condTrue
   351  	condFalse
   352  )
   353  
   354  func checkIfMatch(w ResponseWriter, r *Request) condResult {
   355  	im := r.Header.Get("If-Match")
   356  	if im == "" {
   357  		return condNone
   358  	}
   359  	for {
   360  		im = textproto.TrimString(im)
   361  		if len(im) == 0 {
   362  			break
   363  		}
   364  		if im[0] == ',' {
   365  			im = im[1:]
   366  			continue
   367  		}
   368  		if im[0] == '*' {
   369  			return condTrue
   370  		}
   371  		etag, remain := scanETag(im)
   372  		if etag == "" {
   373  			break
   374  		}
   375  		if etagStrongMatch(etag, w.Header().get("Etag")) {
   376  			return condTrue
   377  		}
   378  		im = remain
   379  	}
   380  
   381  	return condFalse
   382  }
   383  
   384  func checkIfUnmodifiedSince(r *Request, modtime time.Time) condResult {
   385  	ius := r.Header.Get("If-Unmodified-Since")
   386  	if ius == "" || isZeroTime(modtime) {
   387  		return condNone
   388  	}
   389  	t, err := ParseTime(ius)
   390  	if err != nil {
   391  		return condNone
   392  	}
   393  
   394  	// The Last-Modified header truncates sub-second precision so
   395  	// the modtime needs to be truncated too.
   396  	modtime = modtime.Truncate(time.Second)
   397  	if modtime.Before(t) || modtime.Equal(t) {
   398  		return condTrue
   399  	}
   400  	return condFalse
   401  }
   402  
   403  func checkIfNoneMatch(w ResponseWriter, r *Request) condResult {
   404  	inm := r.Header.get("If-None-Match")
   405  	if inm == "" {
   406  		return condNone
   407  	}
   408  	buf := inm
   409  	for {
   410  		buf = textproto.TrimString(buf)
   411  		if len(buf) == 0 {
   412  			break
   413  		}
   414  		if buf[0] == ',' {
   415  			buf = buf[1:]
   416  			continue
   417  		}
   418  		if buf[0] == '*' {
   419  			return condFalse
   420  		}
   421  		etag, remain := scanETag(buf)
   422  		if etag == "" {
   423  			break
   424  		}
   425  		if etagWeakMatch(etag, w.Header().get("Etag")) {
   426  			return condFalse
   427  		}
   428  		buf = remain
   429  	}
   430  	return condTrue
   431  }
   432  
   433  func checkIfModifiedSince(r *Request, modtime time.Time) condResult {
   434  	if r.Method != "GET" && r.Method != "HEAD" {
   435  		return condNone
   436  	}
   437  	ims := r.Header.Get("If-Modified-Since")
   438  	if ims == "" || isZeroTime(modtime) {
   439  		return condNone
   440  	}
   441  	t, err := ParseTime(ims)
   442  	if err != nil {
   443  		return condNone
   444  	}
   445  	// The Last-Modified header truncates sub-second precision so
   446  	// the modtime needs to be truncated too.
   447  	modtime = modtime.Truncate(time.Second)
   448  	if modtime.Before(t) || modtime.Equal(t) {
   449  		return condFalse
   450  	}
   451  	return condTrue
   452  }
   453  
   454  func checkIfRange(w ResponseWriter, r *Request, modtime time.Time) condResult {
   455  	if r.Method != "GET" && r.Method != "HEAD" {
   456  		return condNone
   457  	}
   458  	ir := r.Header.get("If-Range")
   459  	if ir == "" {
   460  		return condNone
   461  	}
   462  	etag, _ := scanETag(ir)
   463  	if etag != "" {
   464  		if etagStrongMatch(etag, w.Header().Get("Etag")) {
   465  			return condTrue
   466  		} else {
   467  			return condFalse
   468  		}
   469  	}
   470  	// The If-Range value is typically the ETag value, but it may also be
   471  	// the modtime date. See golang.org/issue/8367.
   472  	if modtime.IsZero() {
   473  		return condFalse
   474  	}
   475  	t, err := ParseTime(ir)
   476  	if err != nil {
   477  		return condFalse
   478  	}
   479  	if t.Unix() == modtime.Unix() {
   480  		return condTrue
   481  	}
   482  	return condFalse
   483  }
   484  
   485  var unixEpochTime = time.Unix(0, 0)
   486  
   487  // isZeroTime reports whether t is obviously unspecified (either zero or Unix()=0).
   488  func isZeroTime(t time.Time) bool {
   489  	return t.IsZero() || t.Equal(unixEpochTime)
   490  }
   491  
   492  func setLastModified(w ResponseWriter, modtime time.Time) {
   493  	if !isZeroTime(modtime) {
   494  		w.Header().Set("Last-Modified", modtime.UTC().Format(TimeFormat))
   495  	}
   496  }
   497  
   498  func writeNotModified(w ResponseWriter) {
   499  	// RFC 7232 section 4.1:
   500  	// a sender SHOULD NOT generate representation metadata other than the
   501  	// above listed fields unless said metadata exists for the purpose of
   502  	// guiding cache updates (e.g., Last-Modified might be useful if the
   503  	// response does not have an ETag field).
   504  	h := w.Header()
   505  	delete(h, "Content-Type")
   506  	delete(h, "Content-Length")
   507  	if h.Get("Etag") != "" {
   508  		delete(h, "Last-Modified")
   509  	}
   510  	w.WriteHeader(StatusNotModified)
   511  }
   512  
   513  // checkPreconditions evaluates request preconditions and reports whether a precondition
   514  // resulted in sending StatusNotModified or StatusPreconditionFailed.
   515  func checkPreconditions(w ResponseWriter, r *Request, modtime time.Time) (done bool, rangeHeader string) {
   516  	// This function carefully follows RFC 7232 section 6.
   517  	ch := checkIfMatch(w, r)
   518  	if ch == condNone {
   519  		ch = checkIfUnmodifiedSince(r, modtime)
   520  	}
   521  	if ch == condFalse {
   522  		w.WriteHeader(StatusPreconditionFailed)
   523  		return true, ""
   524  	}
   525  	switch checkIfNoneMatch(w, r) {
   526  	case condFalse:
   527  		if r.Method == "GET" || r.Method == "HEAD" {
   528  			writeNotModified(w)
   529  			return true, ""
   530  		} else {
   531  			w.WriteHeader(StatusPreconditionFailed)
   532  			return true, ""
   533  		}
   534  	case condNone:
   535  		if checkIfModifiedSince(r, modtime) == condFalse {
   536  			writeNotModified(w)
   537  			return true, ""
   538  		}
   539  	}
   540  
   541  	rangeHeader = r.Header.get("Range")
   542  	if rangeHeader != "" && checkIfRange(w, r, modtime) == condFalse {
   543  		rangeHeader = ""
   544  	}
   545  	return false, rangeHeader
   546  }
   547  
   548  // name is '/'-separated, not filepath.Separator.
   549  func serveFile(w ResponseWriter, r *Request, fs FileSystem, name string, redirect bool) {
   550  	const indexPage = "/index.html"
   551  
   552  	// redirect .../index.html to .../
   553  	// can't use Redirect() because that would make the path absolute,
   554  	// which would be a problem running under StripPrefix
   555  	if strings.HasSuffix(r.URL.Path, indexPage) {
   556  		localRedirect(w, r, "./")
   557  		return
   558  	}
   559  
   560  	f, err := fs.Open(name)
   561  	if err != nil {
   562  		msg, code := toHTTPError(err)
   563  		Error(w, msg, code)
   564  		return
   565  	}
   566  	defer f.Close()
   567  
   568  	d, err := f.Stat()
   569  	if err != nil {
   570  		msg, code := toHTTPError(err)
   571  		Error(w, msg, code)
   572  		return
   573  	}
   574  
   575  	if redirect {
   576  		// redirect to canonical path: / at end of directory url
   577  		// r.URL.Path always begins with /
   578  		url := r.URL.Path
   579  		if d.IsDir() {
   580  			if url[len(url)-1] != '/' {
   581  				localRedirect(w, r, path.Base(url)+"/")
   582  				return
   583  			}
   584  		} else {
   585  			if url[len(url)-1] == '/' {
   586  				localRedirect(w, r, "../"+path.Base(url))
   587  				return
   588  			}
   589  		}
   590  	}
   591  
   592  	if d.IsDir() {
   593  		url := r.URL.Path
   594  		// redirect if the directory name doesn't end in a slash
   595  		if url == "" || url[len(url)-1] != '/' {
   596  			localRedirect(w, r, path.Base(url)+"/")
   597  			return
   598  		}
   599  
   600  		// use contents of index.html for directory, if present
   601  		index := strings.TrimSuffix(name, "/") + indexPage
   602  		ff, err := fs.Open(index)
   603  		if err == nil {
   604  			defer ff.Close()
   605  			dd, err := ff.Stat()
   606  			if err == nil {
   607  				name = index
   608  				d = dd
   609  				f = ff
   610  			}
   611  		}
   612  	}
   613  
   614  	// Still a directory? (we didn't find an index.html file)
   615  	if d.IsDir() {
   616  		if checkIfModifiedSince(r, d.ModTime()) == condFalse {
   617  			writeNotModified(w)
   618  			return
   619  		}
   620  		setLastModified(w, d.ModTime())
   621  		dirList(w, r, f)
   622  		return
   623  	}
   624  
   625  	// serveContent will check modification time
   626  	sizeFunc := func() (int64, error) { return d.Size(), nil }
   627  	serveContent(w, r, d.Name(), d.ModTime(), sizeFunc, f)
   628  }
   629  
   630  // toHTTPError returns a non-specific HTTP error message and status code
   631  // for a given non-nil error value. It's important that toHTTPError does not
   632  // actually return err.Error(), since msg and httpStatus are returned to users,
   633  // and historically Go's ServeContent always returned just "404 Not Found" for
   634  // all errors. We don't want to start leaking information in error messages.
   635  func toHTTPError(err error) (msg string, httpStatus int) {
   636  	if os.IsNotExist(err) {
   637  		return "404 page not found", StatusNotFound
   638  	}
   639  	if os.IsPermission(err) {
   640  		return "403 Forbidden", StatusForbidden
   641  	}
   642  	// Default:
   643  	return "500 Internal Server Error", StatusInternalServerError
   644  }
   645  
   646  // localRedirect gives a Moved Permanently response.
   647  // It does not convert relative paths to absolute paths like Redirect does.
   648  func localRedirect(w ResponseWriter, r *Request, newPath string) {
   649  	if q := r.URL.RawQuery; q != "" {
   650  		newPath += "?" + q
   651  	}
   652  	w.Header().Set("Location", newPath)
   653  	w.WriteHeader(StatusMovedPermanently)
   654  }
   655  
   656  // ServeFile replies to the request with the contents of the named
   657  // file or directory.
   658  //
   659  // If the provided file or directory name is a relative path, it is
   660  // interpreted relative to the current directory and may ascend to
   661  // parent directories. If the provided name is constructed from user
   662  // input, it should be sanitized before calling ServeFile.
   663  //
   664  // As a precaution, ServeFile will reject requests where r.URL.Path
   665  // contains a ".." path element; this protects against callers who
   666  // might unsafely use filepath.Join on r.URL.Path without sanitizing
   667  // it and then use that filepath.Join result as the name argument.
   668  //
   669  // As another special case, ServeFile redirects any request where r.URL.Path
   670  // ends in "/index.html" to the same path, without the final
   671  // "index.html". To avoid such redirects either modify the path or
   672  // use ServeContent.
   673  //
   674  // Outside of those two special cases, ServeFile does not use
   675  // r.URL.Path for selecting the file or directory to serve; only the
   676  // file or directory provided in the name argument is used.
   677  func ServeFile(w ResponseWriter, r *Request, name string) {
   678  	if containsDotDot(r.URL.Path) {
   679  		// Too many programs use r.URL.Path to construct the argument to
   680  		// serveFile. Reject the request under the assumption that happened
   681  		// here and ".." may not be wanted.
   682  		// Note that name might not contain "..", for example if code (still
   683  		// incorrectly) used filepath.Join(myDir, r.URL.Path).
   684  		Error(w, "invalid URL path", StatusBadRequest)
   685  		return
   686  	}
   687  	dir, file := filepath.Split(name)
   688  	serveFile(w, r, Dir(dir), file, false)
   689  }
   690  
   691  func containsDotDot(v string) bool {
   692  	if !strings.Contains(v, "..") {
   693  		return false
   694  	}
   695  	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
   696  		if ent == ".." {
   697  			return true
   698  		}
   699  	}
   700  	return false
   701  }
   702  
   703  func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
   704  
   705  type fileHandler struct {
   706  	root FileSystem
   707  }
   708  
   709  // FileServer returns a handler that serves HTTP requests
   710  // with the contents of the file system rooted at root.
   711  //
   712  // To use the operating system's file system implementation,
   713  // use http.Dir:
   714  //
   715  //     http.Handle("/", http.FileServer(http.Dir("/tmp")))
   716  //
   717  // As a special case, the returned file server redirects any request
   718  // ending in "/index.html" to the same path, without the final
   719  // "index.html".
   720  func FileServer(root FileSystem) Handler {
   721  	return &fileHandler{root}
   722  }
   723  
   724  func (f *fileHandler) ServeHTTP(w ResponseWriter, r *Request) {
   725  	upath := r.URL.Path
   726  	if !strings.HasPrefix(upath, "/") {
   727  		upath = "/" + upath
   728  		r.URL.Path = upath
   729  	}
   730  	serveFile(w, r, f.root, path.Clean(upath), true)
   731  }
   732  
   733  // httpRange specifies the byte range to be sent to the client.
   734  type httpRange struct {
   735  	start, length int64
   736  }
   737  
   738  func (r httpRange) contentRange(size int64) string {
   739  	return fmt.Sprintf("bytes %d-%d/%d", r.start, r.start+r.length-1, size)
   740  }
   741  
   742  func (r httpRange) mimeHeader(contentType string, size int64) textproto.MIMEHeader {
   743  	return textproto.MIMEHeader{
   744  		"Content-Range": {r.contentRange(size)},
   745  		"Content-Type":  {contentType},
   746  	}
   747  }
   748  
   749  // parseRange parses a Range header string as per RFC 7233.
   750  // errNoOverlap is returned if none of the ranges overlap.
   751  func parseRange(s string, size int64) ([]httpRange, error) {
   752  	if s == "" {
   753  		return nil, nil // header not present
   754  	}
   755  	const b = "bytes="
   756  	if !strings.HasPrefix(s, b) {
   757  		return nil, errors.New("invalid range")
   758  	}
   759  	var ranges []httpRange
   760  	noOverlap := false
   761  	for _, ra := range strings.Split(s[len(b):], ",") {
   762  		ra = textproto.TrimString(ra)
   763  		if ra == "" {
   764  			continue
   765  		}
   766  		i := strings.Index(ra, "-")
   767  		if i < 0 {
   768  			return nil, errors.New("invalid range")
   769  		}
   770  		start, end := textproto.TrimString(ra[:i]), textproto.TrimString(ra[i+1:])
   771  		var r httpRange
   772  		if start == "" {
   773  			// If no start is specified, end specifies the
   774  			// range start relative to the end of the file.
   775  			i, err := strconv.ParseInt(end, 10, 64)
   776  			if err != nil {
   777  				return nil, errors.New("invalid range")
   778  			}
   779  			if i > size {
   780  				i = size
   781  			}
   782  			r.start = size - i
   783  			r.length = size - r.start
   784  		} else {
   785  			i, err := strconv.ParseInt(start, 10, 64)
   786  			if err != nil || i < 0 {
   787  				return nil, errors.New("invalid range")
   788  			}
   789  			if i >= size {
   790  				// If the range begins after the size of the content,
   791  				// then it does not overlap.
   792  				noOverlap = true
   793  				continue
   794  			}
   795  			r.start = i
   796  			if end == "" {
   797  				// If no end is specified, range extends to end of the file.
   798  				r.length = size - r.start
   799  			} else {
   800  				i, err := strconv.ParseInt(end, 10, 64)
   801  				if err != nil || r.start > i {
   802  					return nil, errors.New("invalid range")
   803  				}
   804  				if i >= size {
   805  					i = size - 1
   806  				}
   807  				r.length = i - r.start + 1
   808  			}
   809  		}
   810  		ranges = append(ranges, r)
   811  	}
   812  	if noOverlap && len(ranges) == 0 {
   813  		// The specified ranges did not overlap with the content.
   814  		return nil, errNoOverlap
   815  	}
   816  	return ranges, nil
   817  }
   818  
   819  // countingWriter counts how many bytes have been written to it.
   820  type countingWriter int64
   821  
   822  func (w *countingWriter) Write(p []byte) (n int, err error) {
   823  	*w += countingWriter(len(p))
   824  	return len(p), nil
   825  }
   826  
   827  // rangesMIMESize returns the number of bytes it takes to encode the
   828  // provided ranges as a multipart response.
   829  func rangesMIMESize(ranges []httpRange, contentType string, contentSize int64) (encSize int64) {
   830  	var w countingWriter
   831  	mw := multipart.NewWriter(&w)
   832  	for _, ra := range ranges {
   833  		mw.CreatePart(ra.mimeHeader(contentType, contentSize))
   834  		encSize += ra.length
   835  	}
   836  	mw.Close()
   837  	encSize += int64(w)
   838  	return
   839  }
   840  
   841  func sumRangesSize(ranges []httpRange) (size int64) {
   842  	for _, ra := range ranges {
   843  		size += ra.length
   844  	}
   845  	return
   846  }
   847  

View as plain text